Magazine article Risk Management

Tech Savvy: Understanding It Risks: With Tech Threats on the Rise, Ignorance about IT Security Is No Longer an Option. What You Don't Know Can Spell Disaster

Magazine article Risk Management

Tech Savvy: Understanding It Risks: With Tech Threats on the Rise, Ignorance about IT Security Is No Longer an Option. What You Don't Know Can Spell Disaster

Article excerpt


It is unlikely that there is anyone in your organization that you have a harder time relating to than the IT staff. Computer programmers, database administrators and network engineers are as foreign to most risk managers as insurance is to the rest of the world. But as technological threats have increasingly made IT security a business necessity, the divide between IT and risk management is quickly closing. Gaining a better understanding of your IT department's security concerns and, in turn, helping them to understand risk is now more important than ever.


It is no surprise that computer programs are called "languages." They are written in complicated codes that are designed to send messages to a machine. The actual codes may be incomprehensible to the layperson, but they are designed to be efficient and translatable commands. It is not necessary to know precisely which languages your company's developers use, but it is helpful to know whether they use their own proprietary operating code, a code owned by someone else and licensed to you, or an open source code. (Often, it will be a combination.)

It is also a good idea to know the various positions in your IT group and learn what they do. It may look like they all just sit at a computer and type, but each specific function has a different approach to your company's IT needs. Sit down with the head of IT, armed with a copy of your IT organizational chart, and go through each individual function. Learn what each position does and which people need access to sensitive data.

While you are at it, check out the innumerable network of connections that make your system run. Ask to see the list of IT assets and contracts that your company has amassed. You will probably find a variety of hardware and software among the assets, and likely a few contracts with vendors that power, run, support or supply the telecommunications services that run your network.

Once you have a handle on the people and the tangible and intangible assets and obligations, it is time to see what needs to be done from a risk management perspective.

What Is Mine Is Yours--or Is It?

As a risk manager, you know the importance of protecting what is yours and preventing the improper use of what is owned by others. In the IT world, protecting trade secrets is possibly the most important issue that companies face. Go back to your operating code. Your IT department has already told you who owns it, so now you need to figure out how to secure it. If it is proprietary code, it is probably important to you that no one copy and use that program without your permission. That means you will want as much protection as possible. That is tough to do these days, when there are often thousands, if not millions, of lines of code across multiple applications in a variety of servers, databases and storage devices involving dozens of developers, many of whom may be subcontracted or outsourced.

Nevertheless, you will want to make sure that the IT department has done a good job of protecting your code by requiring developers to sign agreements noting the company's ownership and agreeing not to share it with anyone.

If the code is licensed from someone else, a licensing agreement should be on file, documenting who owns what, for how long and at what cost. After that, you want to make sure that the code itself is secured and accessible only to those IT professionals and users that need to have access to it.

If your code includes some open source material, the equation becomes a little more complicated. You may run into some problems if you are modifying the code and calling the modifications your proprietary property. If your legal group has not already checked out the usage of open source in your environment, you will want to get them on the case. There are few things as harrowing to a technology-driven company than a question of rights to use a core piece of software. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.